Join InCommon

30
Oct.
2024

IAM Online Community

Striking a Balance: Enhancing IAM Security While Maintaining Ease of Use in Higher Education

Share

Array

By: Jean Chorazyczewski, InCommon Academy Director

Estimated reading time: 7 minutes

IAM SPEAKER SPOTLIGHT SUMMARY: Explore strategies for enhancing IAM security while maintaining user convenience in higher education. Join experts as they discuss the challenges posed by social engineering attacks and share insights on balancing robust security measures with seamless access for students, faculty, and staff.

Understanding the IAM Challenge in Higher Education

Higher education institutions face an ever-growing challenge: how to keep their systems secure without making life difficult for their users. Social engineering attacks like phishing, identity fraud, and fraudulent password reset requests are becoming more sophisticated and frequent. 

According to EDUCAUSE in May 2024, education is the top target for hackers globally, with nearly 2,300 attacks per week. Universities, with their open networks and vast numbers of students, faculty, and staff, are prime targets. 

These attacks interfere with Identity and Access Management (IAM) processes, leading to security breaches, compromised accounts, and data loss.

High Expectations for Seamless Access

So, what’s the issue? Today’s users — whether students, faculty, or staff — expect quick, intuitive, and frictionless access, similar to what they experience with platforms like social media, online banking, and e-commerce. 

In a higher education environment, where users may log in multiple times a day to access various systems — email, course management, research databases, or collaboration tools — the process needs to be fast and straightforward.

The Risk of Intrusive Security Measures

If security measures become too intrusive, users might resort to workarounds, like saving passwords in unsecured places or bypassing multi-factor authentication. This undermines IAM’s security goals. 

Balancing security and usability is not just about convenience; it is essential for ensuring that security protocols are effective and followed.

Join the Webinar

To address these challenges, our upcoming webinar on Wednesday, Nov. 20, at 1:00 p.m. ET, ‘IAM in Higher Ed: Balancing Security and Ease of Use,’ will bring together experts to explore strategies for strengthening security without compromising the user experience. 

Join Matt Morton, assistant vice president and CISO at the University of Chicago, along with Eric Zematis, CISO, and Forest Crowley, security architect/IAM manager at Lehigh University, as they share insights and practical approaches for combating social engineering threats while keeping systems user-friendly.

Jeremy Rosenberg, assistant vice president for IT and chief information security officer at Yale University, will moderate the webinar.

Matt Morton profile photo.
Matt Morton
assistant vice president and CISO
University of Chicago
Eric Zematis profile photo.
Eric Zematis
CISO
Lehigh University
Forest Crowley profile photo.
 Forest Crowley
security architect/IAM manager
Lehigh University

Q&A Highlights: Tackling IAM Challenges in Higher Education

Ahead of the Nov. 20 webinar, we spoke with Morton, Zematis, and Crowley to gather key insights about IAM challenges they have faced. Here are the highlights from our conversation.

Q: Why is balancing security and convenience in IAM particularly challenging for higher education institutions today?

Eric Zematis and Forest Crowley (Lehigh University): Higher education institutions struggle to balance IAM security and convenience due to their diverse community base with varying needs and the ‘open’ culture. This is further complicated by adversaries identifying education as a soft target and stringent compliance requirements.

Matt Morton (University of Chicago): Identity is at the core of most attacks today and it also has the most impact on users when steps are taken to secure accounts or change processes. As a result, it’s important to balance these items carefully with the risks that are being mitigated.


Q: Social engineering attacks, such as phishing and fraudulent requests, are becoming more common. What types of attacks are you seeing, and how are they impacting IAM processes?


Eric Zematis and Forest Crowley (Lehigh University): We continue to see a significant volume of email-based phishing attacks. In addition, we are seeing more phone/SMS impersonation attacks. This has been a challenge for our Help Desk, which now needs to initiate Zoom calls for ID verification.

Matt Morton (University of Chicago): We are seeing an increase in attacks at the service desk where the threat actors are attempting to reset credentials like passwords and Duo phone numbers by calling in. We require a visual recertification via Zoom, but it is putting a significant workload on the desk that was not planned for.


Q: What are some of the most common challenges or misconceptions you’ve encountered in strengthening IAM security while keeping things user-friendly?


Eric Zematis and Forest Crowley (Lehigh University): A key challenge to strengthening identity security is user friction. User authentication occurs so frequently that small changes can often be a major obstacle. 

Another challenge is securing limited resources (money and personnel) to properly implement and maintain IAM systems, which are often complex and require continuous attention.

Matt Morton (University of Chicago): Many faculty and researchers engage in extensive international collaborations, which broadens the attack surface for both their accounts and those of their collaborators. Securing by geolocation alone is insufficient. It’s essential that the support desk is trained to recognize international identifiers and can work without bias or assumptions when verifying this group.


Q: What is one lesson you’ve learned from your experience in navigating the balance between security and usability in IAM?


Eric Zematis and Forest Crowley (Lehigh University): When implementing new security measures, like multi-factor authentication (MFA,) clearly explaining the ‘why’ behind the change can significantly reduce resistance and improve overall security posture. People are more likely to embrace security measures when they understand their importance and how they benefit, rather than feeling like they’re just pointless hurdles to overcome.

Matt Morton (University of Chicago): One key lesson I’ve learned in navigating the balance between security and usability in IAM is that user experience is critical to security adoption. Striking the right balance requires simplifying the user journey wherever possible — especially in tasks like authentication and access requests — while implementing robust security controls. 

For example, adopting technologies like single sign-on (SSO) and adaptive MFA can improve both security and usability by reducing friction for users in low-risk scenarios while tightening controls in higher-risk contexts. 

Ultimately, aligning security requirements with user convenience enhances compliance and reduces the likelihood of security workarounds or “shadow IT.”


Q: What do you hope attendees will take away from this webinar, particularly when it comes to enhancing IAM practices to protect against these types of threats?


Eric Zematis and Forest Crowley (Lehigh University): Attendees should leave recognizing that IAM is not a ‘set it and forget it’ task, but requires continuous monitoring and adaptation to emerging threats like social engineering. They should be prepared to proactively update policies, educate users, and evolve their security measures to stay ahead of these ever-changing threats.

Matt Morton (University of Chicago): I hope attendees leave this webinar with a clear understanding of how critical it is to strike the right balance between robust security controls and user experience in IAM. I want them to take away practical strategies for enhancing IAM practices, such as implementing adaptive MFA, enforcing least privilege access, and improving identity governance. 

Additionally, I hope they recognize the importance of ongoing user education and integrating IAM with other security tools like threat detection systems to protect against emerging threats. 

Overall, I think the goal is for attendees to feel empowered to strengthen their IAM frameworks in a way that not only improves security but also supports operational efficiency and user adoption.

Join Us for IAM Online

Whether you’re an IT leader, a security professional, or part of a help desk team, you’ll gain insights into how to navigate these evolving threats while keeping user experiences smooth. Our speakers will share their firsthand experiences with these attacks, discussing what’s happening at their institutions, the strategies they’re implementing, and practical tips to consider — even if there’s no one-size-fits-all solution.

Please join us online for “IAM in Higher Ed: Balancing Security and Ease of Use” on Wednesday, Nov. 20, 2024, at 1:00 p.m. ET.

Register for this Webinar

Please Note: We’ve introduced a new, improved registration process for our webinars. You’ll now register individually for each webinar, which allows us to deliver content that’s even more aligned with what you want to see. Get ready for more engaging, community-driven webinars designed with you in mind!

Do you have ideas for IAM Webinars you would like to attend? Fill out this form and let us know what you’d like to see.